A question about Kerberos authentication and VPN

I was wondering how one goes about configuring Kerberos authentication for VPN w/o exposing the KDC on public DNS or a world-routable IP address. If edu.mit.Kerberos points to the kdc, an internal network address (say 10.0.0.1), how can it authenticate when the vpn is not yet established? It would seem the IP would have to be mapped to an external, publicly-routable address, with port 88 allowed in. Is this what most people do to allow Kerberos authentication for VPN connections, or is there something obvious I am missing here? Thanks, -Iain